[Bug 642] New: state matching (--rcheck) in xt_recent kernel module fails

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Fri Mar 26 17:05:27 CET 2010


http://bugzilla.netfilter.org/show_bug.cgi?id=642

           Summary: state matching (--rcheck) in xt_recent kernel module
                    fails
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P1
         Component: ip_tables (kernel)
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: lisaev at indiana.edu


In the recent kernel the module xt_recent is buggy: when one tries to match the
state of a packet with "-m recent ... --rcheck -j my_chain", the event fails,
although the packet should have passed to my_chain. This is only a failure of
--rcheck, as --set/--remove/--seconds do work.

For instance, in this example:

-A IF_KNOCK -p tcp -m tcp --dport 1234 -m recent --set --name IF_KNK_LIST
--rsource -j LOG --log-prefix "kseq1--waiting: " --log-level 6 --log-ip-options
--log-uid
-A IF_KNOCK -p tcp -m tcp --dport 5678 -m recent --rcheck --seconds 30 --name
IF_KNK_LIST --rsource -j KNOCK_ACCEPT

the chain KNOCK_ACCEPT will never be traversed, even if the two packets arrived
at ports 1234 and 5678 within 30 sec window.

A similar bug has already been noticed in Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/544984
and Arch Linux:
http://bugs.archlinux.org/task/18845

* package version(s)
kernel 2.6.32.10-1
iptables 1.4.7-1


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the netfilter-buglog mailing list